The compliance deadline for the European Union’s General Data Protection Regulation (GDPR) is nearly upon us, the unveiling of a proposed model to bring WHOIS into compliance is said to come from ICANN next week, and everyone is scrambling to understand all that’s involved. Implementation of a revised WHOIS model is clearly on the horizon, but what comes after may be the real story! Specifically, if WHOIS information becomes more than nominally restricted, what’s the consequence to the data controllers (ICANN and the contracted parties) who implement this revised model?

WHOIS and Critical Tasks

WHOIS is critical for:

• Informing buyers/sellers/brokers of domain names about the soundness of ownership and transparency into the parties to a transaction;
• Helping law enforcement and other authorities investigate and resolve criminal activity, and predict the growth or migration of that activity across the DNS;
• Enabling brand owners and other IP rights holders to protect and defend their marks and assets; and
• Helping security experts quickly and effectively deal with and identify patterns for the spread of malware, botnets, spam and other abusive behavior in the DNS.

These are but a few examples and, while WHOIS may seem like an “aside” to the critical role domain names play on the Internet, this underlying ownership data is crucial to many functions that keep the domain name system secure and stable.

Curtailing WHOIS - Where will the Data Come From?

I understand that some registrars and registries have embraced—and even started engineering for—a compliance model very similar to ICANN’s Model 3, a system the European Commission itself says is probably too restrictive. If a system that obstructive is embraced, data may go away, but the need for that data to perform critical tasks does not. As one industry observer put it:

What the European Data Protection authorities have not yet put together is that the protection of people’s mental integrity on the Internet is not solely due to the action of law enforcement, but a cast of others (anti-spam/abuse initiates, DDoS mitigation, etc.) who are not law enforcement but do rely upon visibility into the DNS Whois to perform their services.

Significantly, respected security researcher Brian Krebs also made note of weakening security:

For my part, I can say without hesitation that few resources are as critical to what I do here…than the data available in the public WHOIS records. WHOIS records are incredibly useful signposts for tracking cybercrime, and they frequently allow KrebsOnSecurity to break important stories about the connections between and identities behind various cybercriminal operations and the individuals/networks actively supporting or enabling those activities.

So what happens next? Contracted parties have more than a small stake in the answer to that. Why? Because they’re the caretakers of WHOIS data, and in a world of curtailed WHOIS, the data necessary to critical tasks has to come from somewhere, and be brought to light somehow.

Let’s take IP rights enforcement. Say, conservatively, there are 1,000 queries a day (via port 43) to a registrar’s WHOIS. Now say, again conservatively, that 1% of those queries yields actionable information. The registrar, today, is off the hook, for the most part. The infringed-upon party usually pursues the matter and goes after ten “bad guys.”

In a restricted scenario, perhaps the registrar is now looking at 10 subpoenas for the previously publicly available data. But now assume a larger registrar gets one million queries a day. That 1% becomes 10,000 potential court actions to sort out. And that’s BEFORE the community arrives at a layered/gated model, with access offered to accredited third parties (potential mitigations that appear to be months away). I can’t imagine a registrar as large as GoDaddy or the Web.com family wants to deal with 10 court-sourced actions, never mind 10,000 or more—on a weekly or daily basis. Contracted parties need to very carefully consider these operational impacts when contemplating which models to implement or push for with ICANN ... as should ICANN.

Other Operational Impacts

A flood of legal service might not capture the whole picture.

• A restrictive WHOIS means the bad guys can hide more easily, and for longer. Registry zone files could clutter up with bad actors, and registrars may have customers in the house they don’t want.
• Query rates directly to the registrar community will squeeze upstream—especially under some of the layered/gated models being considered.
• There will be damage to brands, financial institutions, secure sites, and others that rely on the security community to quickly mobilize against bad actors or even anticipate their moves.
• External entities will be forced to use “blunter” instruments to protect users and consumers, and to pursue bad actors. Perhaps even by black-listing specific registrars or top-level domains.

Accuracy - the Other Liability Not being Considered

After GDPR models are implemented, now hiding behind a “gate” will be a database full of inaccurate or false information. We know this because today it is reported that even in Europe, less than half of WHOIS records contain data that meet operability standards. The European Commission’s recently released technical input on ICANN’s proposed GDPR-compliant WHOIS models underscored the GDPR’s “Accuracy” principle—making clear that reasonable steps should be taken to ensure the accuracy of any personal data obtained for WHOIS databases and that ICANN should be sure to incorporate this requirement in whatever model it adopts.

Many registry and registrar operators may be tempted to say, “So what? It’s what the registrant gave us and that’s where our obligation ends.” But the European Commission official who spoke during the February 22, 2018 discussion hosted by the BC and IPC indicated that controllers are responsible for the data quality under GDPR, and that inaccurate WHOIS data can be the basis of GDPR-based claims by data subjects and other recipients of inaccurate data. This certainly increases the risk to GDPR compliance and begs the question why ICANN wouldn’t ensure that contracted parties implement processes to validate and verify the contact information they allow into the WHOIS database.

Getting it Right

After months of discussion, review of countless documents and proposals, and many meetings, I’m still left feeling that we’re heading down a path that could result in a system with fewer benefits for all stakeholders and that we’re missing an opportunity to properly resolve a decades-old debate.

ICANN should move quickly to consult with all stakeholders to address critical elements of the resulting model, including e-mail address inclusion, verification for accuracy, bulk WHOIS access, and proper scoping. That model must include access to data for security and end-user protection—the latter cannot be imposed retroactively.

This is a critical move, before unintended consequences start to arrive.